Frequent WordPress backups can minimize data loss and thereby greatly help your business. However, they can be resource-intensive and affect your WordPress site performance, if not done right.  

Frequent backups present some obvious advantages which are particularly important for WordPress (WP) sites. Content creation takes some planning, effort, and resources. Losing such content may become a major setback for your website. Daily backups minimize data loss in such cases.

Finding secure storage solutions is a real challenge with frequent WordPress backups.
Finding secure storage solutions is a real challenge with frequent WordPress backups.

WordPress sites are dependent on many third party plugins and themes. WordPress site owners are always running the risk of installing software that is not compatible with other plugins or themes on the site or installing those which may have some vulnerabilities. The risk of losing data from frequent updates and third-party software vulnerabilities is mitigated to a degree by having up-to-date backups.


Advantages of Frequent Backups

  • Minimize data loss
  • Reduce downtime
  • Retain updates & functionalities on WP sites


What are Frequent Backup Options?

Of course real-time backups is the best solution to achieve the goals stated above. Hourly/Daily backups may be the most frequent options apart from that.


Challenges with Frequent Backups

Higher frequency of performing backups brings its own complications. Backing up sites not only makes demands on your server resources but also brings up the issue of secure storage of the backups made. To add to the list of issues to consider, tracking whether backups have happened correctly and what has been backed up is not always easy.


Backups are Complicated

We have been in the business of premium WordPress backup service for over five years now. A number of things can, and do go wrong with backups. Sometimes when someone opts to backup their site manually, it is as simple as forgetting to perform frequent backups.

Often, WordPress site owners don’t know if backups are happening according to plan. Sometimes not all files are backed up.

In cases where site owners may have backups, restoring sites may not be easy. At other times, site owners who are relying on backups by web hosting services may not be fully aware of backup & storage policies. As a result, there have been times when WordPress site owners find out that there may not be any backups when they need it the most.


Resource Intensive

Increased load on your server resources could lead to an increased site load time or pages crashing. Otherwise, the user experience of visitors to your site may be spoiled because certain elements in the site may not function as intended.


Large Sites Offer Their Own Problems


Backing up larger sites takes more time & more resources. In such cases, it is possible that certain sites may not get backed up at all. This is because hosting services; especially on shared hosting, have policies about the time, and the server-resources that a particular task can take. In such cases, although you may have employed a backup solution, your site may have not been backed up at all, or may have been backed up incompletely. In both cases, restoring the site is not possible.


Storage Space & Security

Frequent backups lead to multiple copies. Storing these copies securely can be a challenge. Storing backups on your own Dropbox accounts or local storage devices like your PC’s hard drive (HDD) or USB drive is not recommended.

Backups stored locally can become infected with malware as you are constantly browsing and downloading files. Also, HDDs or USB drives have been known to crash. This doesn’t even account for the risks associated with accidents and natural disasters.

Storage may drive up the cost of storing backups as you may have to invest in independent storage solutions.
In all the above cases the real risk is that eventually when you need to restore your site you may not have backups, have incomplete or infected backup files. This is not the optimal scenario for your business. Probably a good way to evaluate a backup solution is to list some scenarios in which you would need to rely on backups, and see if the backup solution in question will give you access to backups and allow you to restore your WordPress site.


The Answer?: Backup Service as a Solution

A WordPress backup service like BlogVault will not only take care of storage space and security but make incremental backups. This intelligent approach ensures that even large sites on shared hosting can be completely backed up. Apart from this backups services may also eliminate cache and log files from backups, thereby reducing problems at the time of restores. All of this is done automatically, thereby eliminating the human errors so that you can go about your business without worry.


With a WordPress backup service restoring your site is always the goal. When the time comes you will have multiple backups versions; securely stored, from which you can choose. You can also automatically restore your site with a single click. Of, course a backup service comes with a more premium price tag but with the price, you’ll have backups with best practices at your disposal.


WordPress is the fastest-growing, most popular CMS in the world because of its user-friendly features, but this also puts a target on its back. Why is WordPress popular with hackers?


WordPress is a popular hacker target


Whether it’s a simple blogger writing about college experiences, or the Time Magazine, WordPress is the choice CMS for anyone looking to publish content on a website. And for good reason too: WordPress is not only Open Source, it’s extensible, flexible and it’s also supported by a community that actively contributes.

How popular is WordPress?

WordPress is currently the most used, and the fastest-growing CMS in the world. And according to data from W3Tech for August 2016, 246 WordPress sites were added to the internet every day.


WordPress' growth for August 2016, according to W3Tech's data
WordPress’ growth for August 2016, according to W3Tech’s data


By September 2016, this number had only increased:


WordPress' growth in September 2016, according to W3Tech's data
WordPress’ growth in September 2016, according to W3Tech’s data


This illustrates the rapid pace at which WordPress is growing, and that the rates of its use have continued to grow. Considering all the features that make WordPress popular, it’s not surprising how the CMS got to this position, and why it will grow more rapidly.

After all, the CMS is Open Source meaning that it is transparent to anyone who wants to learn how to use it effectively, while also offering a number of alternatives that help make it convenient, extensible and functional. What makes it the most popular amongst other Open Source CMSes like Joomla and Drupal, though, is the fact that it is more user-friendly. WordPress requires lesser technical knowledge than any other Open Source CMS, and is a lot simpler to use in that regard.


WordPress’ popularity makes it an obvious target

WordPress started out as a publishing platform that only needed basic technical knowledge to handle. This is what made WordPress popular. However, it didn’t stop at that. The more users it acquired, the more was created for it by the community. The add-ons created made WordPress more flexible, and more functional. This meant it became more widely used.

Data from W3Techs shows that of all the websites in the world, 54.6% don’t use a CMS at all.
Of the rest that do rely on a CMS (45.4%), WordPress powers 26.7%, meaning it is the base for 58.9% of all websites that run on a CMS.


WordPress is the most popular CMS according to W3Techs
WordPress is the most popular CMS according to W3Techs


Having more users than any other CMS put a target on WordPress’ back… similar to how the Windows Operating System was targeted when it was still new.

Back then, since the OS was so widely used, hackers targeted vulnerabilities that the developers hadn’t foreseen. This ensured that more users could potentially be affected by a single hack. All the hackers needed to do, was to ensure that the malicious files were made accessible to the users. With WordPress this isn’t a concern since all a hacker has to do, is to find a way to automate an exploit.

Most hacks are automated, which means they don’t need the hacker’s intervention. The hacker only programs a crawler bot to run malicious code when it finds vulnerabilities that allow it to run. The bot then replicates the exploit on other sites that have the same common vulnerability. This could lead to millions of sites getting compromised at a time.


Reason #1: Wide scope, more damage

According to WordPress, there are about  22.9 million page views on WordPress sites per month. This makes WordPress an attractive target for hackers’ attacks. The way they see it, the more the audience, the more the potential damage an attack can incur.

Hackers perform exploits for a number of reasons, so the scope of this damage can vary, but what they aim for, is to gain the most out of a single exploit; whether it is visibility, information or resources.All it takes to hit the jackpot, is one unique, undetectable exploit.

One example of this, was the case of TimThumb (an image-to-thumbnail resizing plugin) which was so popular that a number of themes had it bundled with their offering. So users didn’t even have to install the plugin for their site to be vulnerable. If they were unaware that theme being used on their WordPress site was using the plugin then they would be sitting ducks. When it was exploited, a number of users got hacked because they didn’t even know that they had the malicious code on their sites.

Moreover, with attacks like Cross-site Scripting (XSS), all it takes for malicious code to propagate, is people simply visiting the infected sites, or using them. Attacks like these maximise the range of the damage, and spread exponentially.


Reason #2: WordPress has all sorts of users

WordPress sites can host anything from a forum to an e-commerce site, with the help of add-ons (plugins, themes and widgets). This makes the CMS extremely popular amongst users.

Even those who are code-illiterate can perform basic modifications to their site, and publish content. However, what most users don’t expect, is the amount of work, and technical expertise it takes to maintain a WordPress site. Maintaining a fairly secure WordPress site requires great attention to detail, and perseverance, especially since simply updating an add-on on the site could lead to the whole site crashing. Not performing the update, on the other hand, would leave the site vulnerable to attacks. Users, therefore have to acquaint themselves with the basics of a WordPress site, such as the parts of a site, what they contain, and how to test updates before updating them… Or at least invest in a WordPress backup solution that is reliable, and sensible. However, since a considerable portion of the WordPress community of users doesn’t have the technical know-how or time required, they are easy targets. What makes this scenario worse, is the fact that a large portion of the community are novices who are ignorant of how hacks work, or what could make a website insecure.

Another factor to consider, is that WordPress users with the right amount of technical know-how they can modify their installations of WordPress to suit their needs. Those who don’t have the expertise or time, however, rely heavily on plugins for added functionality. This leads to vulnerabilities, since not every plugin or theme is coded according to WordPress standards. This allows hackers a lot of room– any one outdated plugin could be exploited easily. And again, if the plugin is widely used, then all they have to do to exploit multiple sites is identify the sites that use the vulnerable version and replicate the exploit.


Reason #3: WordPress has all sorts of developers

Since it runs on the Open Source philosophy, WordPress has everyone from the community contributing code to it, from novices to experts.

This means users who have only just started experimenting with code, contribute alongside hobbyists, expert developers, and third-parties too (who code premium add-ons made available on websites like ThemeForest). Every contributor can access resources from the community, such as the WordPress Codex, forums, and other websites, but there is no way to make sure that the contributors follow them. This obviously means there is room for error, which makes WordPress a low-hanging fruit for hackers.

Added to this, WordPress runs on a ‘security through transparency’ model, which means that everything: every vulnerability, where it was found and security patches are all announced to the community. Hackers, therefore, don’t even need to put in the effort to find vulnerabilities or how they work. All they have to do, is scan the WordPress community for news, and put two and two together to exploit websites that are still vulnerable. The situation is exacerbated by the fact that WordPress users, due to maintenance issues, don’t usually update to patches as fast as they should.


So is WordPress safe?

Going back to our Windows analogy, in spite of the system quickly adapting, people still perceive it as being insecure when compared to Linux-based Operating Systems. This is because hackers target it since it has the most users. The same applies to WordPress.

All of the reasons mentioned above do not mean that WordPress is in itself vulnerable to attacks; in fact, there haven’t been any major exploits on WordPress core because of how stringent quality control is with the core.

However, more vulnerabilities are reported on WordPress, because of how ‘security through transparency’ on WordPress works. This gives an illusion that the CMS isn’t safe, but to be fair, there is no such thing as a secure website. WordPress is susceptible to hacks because of a number of factors, such as the varied demographic of its user and developer base, but following simple security measures eliminate a number of risks, and entry points.

Since hacks are such a prevalent threat, the wisest security measure, would be to invest in an intelligent malware scanner and hack cleaner designed especially for WordPress, like MalCare.


Flywheel being a managed WordPress hosting service offers great features including WordPress backup. The increase in features and focus specialization is certainly reflected in the price too. So, are Flywheel backups worth it?

Flywheel is a managed WordPress hosting platform. They exclusively host WordPress sites and as a result, Flywheel is optimized for that platform. This means that you can expect WordPress backups and services that are a cut above your run-of-the-mill shared hosting environments on other web hosts. With this, costs rise proportionally as well. So, does this mean that we will discover a web host WordPress backup on which you can rely? Read on, to find out!

A Screenshot of Flywheel's website
A Screenshot of Flywheel’s website

Before we begin, welcome back to our series reviewing backups by web hosts. Check out our previous articles in this series on backups by WP Engine, HostGator & SiteGround if you’re interested in how they backup your WordPress site.

Flywheel Backups:

As usual we would, ultimately, be looking to answer one question- Can you rely on Flywheel for your WordPress backups? Being a hosting service dedicated to WordPress, Flywheel is optimised for the CMS and provides backups as a part of its service. However are the WordPress backups completely independent of Flywheel? Let’s find out.

  • Flywheel makes nightly automated backups of your WordPress site.
  • You access 30 days of backups through your dashboard.
  • Flywheel’s documentation says that it backs up everything in your WordPress folder including uploaded files.
  • Backups are stored offsite on Amazon S3 servers.
  • Apart from these features you  can download your backups in .zip format; and restore your WordPress site with a single click.

Points to keep in mind:

  • When you are restoring your site, visitors are going to see a ‘site down for maintenance’ message.
  • Flywheel provides a staging environment to test changes and updates to your site.

Review of Flywheel backups

Flywheel allows you to force backups anytime you want. This is helpful when you have to make updates or major changes to your site. When you are restoring your site, it automatically prompts you to make a restore of the current version. It is a handy feature to have as you can roll back your site in case the restoration process does not work out. However Flywheel does not function as complete WordPress backup service despite getting many things right. As a consumer you will have to decide if you can ignore issues or do you want to go for the best WordPress backup plugin.

Backup Descriptions

When you force a backup, you are prompted to provide a backup description. In such a case, you can name the backup according to the reason you are performing the backup. For  example, if you are updating plugin X, then you can name the backup as ‘before updating plugin X’. Although you have 30 days of backups available on a list in the Backups tab of your Flywheel dashboard, you can immediately identify this one.

Forcing a backup on Flywheel first results in a pop-up asking for a backup description to help tell backups apart
Forcing a backup on Flywheel first results in a pop-up asking for a backup description to help tell backups apart

Automatic backups on the other hand, can only identified by their dates and the number of posts, pages, comments, plugins & uploads. There is very little to differentiate what has exactly changed since the last backup. This is particularly painful when you start making backups before updates, restores, and so on. This interrupts with the automatic backups repeating number of posts or pages or jumbling them up. A hack most people would think of, to restore the backup version with the most posts or uploads will not work in such a case.

Flywheel's automatic backups are hard to tell apart
Flywheel’s automatic backups are hard to tell apart

Downloading Backups from Flywheel

Downloading backups is very easy you can do it from the BACKUPS tab in your Flywheel dashboard itself. Once you have opted to download a particular backup, you will get an email notification informing you that your backup is ready for download.

Downloading Flywheel's backups is easy
Downloading Flywheel’s backups is easy

One thing we did notice when we unzipped the downloaded backup is that, wp-admin and wp-include files were missing from the downloaded backup.

Our downloaded backup didn't contain the wp-admin and wp-include files
Our downloaded backup didn’t contain the wp-admin and wp-include files

We must mention that we had no issues with restoring the site from our dashboard. This means that Flywheel will have a backup of those folders. But, you can’t access those folders of your site when you simply download a backup from the Flywheel dashboard. It is more a question of convenience- how easily can you access all the files on your site?

Does Flywheel backup give you control?

In case some files are being excluded from backups, you cannot simply add files to your backup right from the dashboard of your account. You can’t know the specific files or directories being backed up either.

This lack of granular control extends to downloads and restores too. Your backups as mentioned are zipped and sent to you. You do not have the option of choosing which files or tables you want to download. While this outs some sort of a burden on your storage space or labor the matter is a little more serious when it comes to restores.

Losing Data When You Lose Control Over Backups

Flywheel restores your site by removing all the old files and replacing them with the backup version you have chosen. This means that changes made in this interim will be lost. In case you know that a specific plugin or file is the issue, then you can restore only those files or plugins without losing your data.

Ideally, making incremental restores to your WordPress site would not ensure that it is up and running quicker but will also ensure that changed data since the restore also is not lost.

Of course you can always make a backup before restoring, and then download it. You would then have to upload all of that content again and make sure to take a backup of this latest version of your site. However, this seems like a circuitous way to solve the issue.

On the note of control over backups, we thought we’d mention that you also cannot customize your backup schedule.

Conclusion on Flywheel Backup:

A summary of FlyWheel's backups
A summary of FlyWheel’s backups

As expected Flywheel gets a lot things right however, their backups still don’t cut the standard of a complete WordPress Backup service. As Flywheel mentions on their site, they’d like to work with the “best of breed” for everything. If you too are looking for that “best of breed WordPress backups” then you might want to look elsewhere.

Stay safe & always, always backup!

By now you most probably would have come across this story which has taken the internet by storm recently, especially the programming community. The story reads:  How a hosting company lost its entire business because of one line of bad code. Any person even vaguely familiar with command prompt can guess that one line:
rm -rf

(well the actual line of code as per its author was rm -rf {foo}/{bar})


The issue first came to public notice when the person responsible for this catastrophe asked for help on ServerFault (question now removed). As per the question and followed thread of comments author intended to run a script that did a few task along with deleting all files/folders inside certain folders passed as variable. Due to an error in the code, the variable got wrong value which resulted in wiping everything on the machine. Unfortunately he ran this same script on all his machines which led to deletion of everything. A complete annihilation!


Add to that he ran a web hosting company. He not only deleted his entire company code and data but also wiped clean all customer data. This affected some 1535 customers who were using his service (figures provided by him on serverfault’s thread).


Did he take backups?

Whenever a person read such stories, first thing to come across mind is – why didn’t he take backups? Well as per him, he did. He made backups on separate disks, however these disks were mounted to the main machine and hence the contagious script managed to wipe them too.


He posted a comment that read:

“All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).”


We often come across users who are trying our service and tell us at the end of trial period, while they really loved our service their hosting company provides backup and hence they may not need our service. It’s difficult to explain why you cannot blindly rely on backups done by your hosting provider but this certainly is a good example to start with.


We understand it’s a rare case scenario coupled with human error and probability of something like this happening with your premium managed hosting provider is equivalent to probability of discovering extraterrestrial life. But the important thing to notice here is there is still a probability. There are over 1 billion websites on the internet today, even mere 0.1% accounts to 1 million websites and that’s a huge number. You definitely don’t want to be one in this million group.


If something similar happens with the managed hosting provider you are signed up with, your included backups will do you no good. This hosting company just lost all its data. Yes it was because of the carelessness of the system admin but human errors can happen anywhere. There can be another similar case, where a hacker somehow breaks into your hosting company’s server and run similar script intentionally. That will affect you equally. Not only your production site is gone, also the backups.

You should never completely rely on backups by your hosts

Though there are many managed hosting companies that provide quality automated backup to their customers, one should not completely rely on these backups especially when the site in question is your main source to bread and butter. If their system is compromised, so are you and your sites. We cannot emphasise enough how important it is to have backups completely independent from your hosting servers.  

Let’s assume another case where your hosting company is hit by a major DoS attack and it went completely down for 3-4 days. Your site data may be safe but there is no way to access it. There is no certainty how soon they will recover and you cannot let your site just hang around like that. Since your backup belongs with the same hosting company, there is no way to access them either. Like it or not, you’re stuck. If only your backups were independent, you could have hosted them somewhere else meanwhile.


These are real world examples and can happen to anyone. A good backup needs to be offsite, robust, completely independent from your main servers and most importantly something you can access and deploy anywhere within minutes. We have seen enough number of times people despite having zip of their backup, running over various tech forums desperately seeking professional help to get their site restored because just unzipping it won’t bring the site back. There are various server configurations that may require fixing/updating in wake of recent disaster. Similarly a good robust backup should have an easy way to validate itself. Consider a situation where you are relying on a backup which is corrupt and you only learn this when you needed it. It’s a nightmare! While most managed hostings do provide decent backup service, these are a few scenarios where they fall flat.


Our post is not aimed to scare our readers, we just want to educate people about the importance of an independent automated backup service. One can never take their system for granted. As per the very nature of machines they are bound to crash, hacked, wiped out, melt down etc. One need to have sound backup system not just for their sake, but also for the sake of their users. And we just happen to provide one 🙂

PressNomics is a 3-day conference for the renowned creators of third-party products and services for the WordPress community, organized by Pagely. It’s all set to take place this week, starting from the 2nd of March till the 5th, at the Tempe Mission Palms, Tempe, Arizona. Our founder, Akshat Choudhary, will be representing BlogVault at this event.


More About PressNomics

The PressNomics conference will cover topics pertinent to WordPress entrepreneurs like community considerations, growth hacking, and customer relationship management. Some remarkable speakers attending this event include (but are not limited to)

and many more…

BlogVault at PressNomics

Well, we’ll not be presenting at PressNomics, but we’ll definitely be around to discuss WordPress security and backups (and anything else you might want to talk about). So guys and gals, if you’re there this week, feel free to catch up with us for a chat or drinks. We would love to meet you all!

A .htaccess file is a distributed configuration file that’s present not just in WordPress, but in all Apache web hostings. .htaccess files can be used to boost your website’s performance, security and usability. A few features that you can enable or disable using a .htaccess file include server signature, file caching, URL redirection, password protection and custom error pages.

WordPress installations may or may not contain the .htaccess file in the root directory, depending on your permalink structure; while a default ‘ugly’ permalink structure comes sans .htaccess, a pretty permalink structure auto creates a .htaccess file in your WordPress. In case you’re using default WordPress settings (read an ugly permalink structure), it is highly advisable to change it to a pretty permalink structure. Now assuming that you want to enable default pretty permalinks, create a new notepad file and rename it to .htaccess (not .htaccess.txt). Include the following basic code in the file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Save the changes and upload the file to your WordPress root directory using FTP.

Protect your .htaccess File

To protect your .htaccess file from external users and to tighten website security, it is recommended to add the following code to the .htaccess file:

<Files .htaccess>
order allow,deny
deny from all

While making any modification to your .htaccess file, it is important to remember that even a tiny error in the .htaccess file can cause a major issue on your website, so much so you might even end up disabling your entire server with one simple typo. Hence, it is advisable to make a backup of your .htaccess file before making any changes to it. This way, if something goes wrong, you can always revert to the backup version of the file.


You know how they say that insects develop resistance to insecticides over time? Well, that’s sort of how it’s become with passwords these days. Passwords have been used to secure user accounts for such a long time now that they’ve started to lose their effectiveness. Of late, more and more hack attacks have become successful. The need of the hour, therefore, is to put to practice novel methods to strengthen existing authentication processes. In this light, the easiest and most practical thing you can do to further secure your WordPress site is to set up a two-factor authentication process for your WordPress login.

Two-factor authentication requires users to provide a code sent to them, in addition to their login credentials, in order to login to the admin dashboard. This way, an extra layer of protection is added to confirm that it’s indeed the user that’s logging into his profile and not someone else that’s gained access to his password.

The iThemes Security Pro plugin for WordPress sets up a second verification step for your WordPress login by using Google Authenticator. For using this feature, you’ll have to first install iThemes Security Pro on your WordPress and then download the free Google Authenticator app onto your smartphone. Once that’s done, you’re good to go.

Setting up Two-factor Authentication

Step 1: Enable Two-factor Authentication in iThemes Security Pro

  • Scroll to the two-factor authentication section on the ‘Pro’ tab of the plugin.
  • Here, you’ll find options for time-based OTP (one-time password), email and backup verification codes. In time-based OTP, the secondary code will be generated by an app like Google Authenticator. In the email option, the code will be sent through email once the login credentials are provided. The backup verification codes comprise a set of secondary codes that can be used in the event that access to the primary two-factor provider is lost. These codes expire after use and should be stored in a safe place.
  • It is advisable to enable more than one of these three options by checking the boxes next to them (preferably, all three).
  • Click on ‘Save All Changes’.
  • Once two-factor authentication has been enabled by admin, other users can activate it on their individual accounts by editing their profiles.

setup two factor authentication 01

Activate by Editing Individual User Profile

  • Click on the ‘Your Profile’ option found under ‘Users’ on your WordPress dashboard and scroll down to ‘Two-factor Authentication Options’.
  • Here, you’ll find the list of authentication code providers.
  • Enable ‘Time-Based One-Time Password (TOTP)’ and make it your primary provider of two-factor authentication.
  • It is advisable to enable either one or both of the remaining options for backup, in case you lose access to your primary two-factor provider.

Now all that’s left is to set up your site in the Google Authenticator app. For this, you’ll require the QR code and secret key that appear on clicking ‘View Time-Based One-Time Password Configuration Details’.

setup two factor authentication 02

Step 2: Add your WordPress Site to the Google Authenticator App

  • Open the Google Authenticator app on your phone.
  • To set up the app on your phone, click on ‘Begin setup’.
  • You’ll then be given two options regarding how you want to add your WordPress site to the app: Scan Barcode and Manual Entry.
    • If you choose ‘Scan Barcode’, a QR code scanner will appear on our screen. Remember the QR code we spoke about earlier? The one on your WordPress profile page? Scan that QR code by pointing your phone’s camera at your computer screen.
    • If you choose ‘Manual Entry’, you’ll be asked for the ‘secret key’ mentioned on your WordPress profile page. Enter the key, and you’re good to go.
  • Once the QR code or secret key is recognized by the Google Authenticator app, your WordPress site will automatically be added to the app.

The Google Authenticator app will now start to continually generate 6-digit tokens – your authentication codes. Each generated token/code will hold good for 30 seconds, until the next token/code is generated.

In case you temporarily lose access to your primary two-factor code provider – say because you  don’t have your phone with you at the moment, but want to desperately log in to your WordPress dashboard nonetheless – you can always use a backup provider to log in to your account then. However, in the event that you lose your phone or something and want to completely disable two-factor authentication, any of your WordPress administrators can do it for you. All they need to do is turn the feature off on your user profile. This will override and disable two-factor authentication for your user account. It should be noted here that administrators can only disable the feature for a user, not enable it.

Two-factor authentication can also be enabled for WordPress using other plugins like Duo Two-factor Authentication, Clef Two-factor Authentication, and Rublon. Learn more about using these other WordPress plugins here.

So you’ve just installed WordPress on your system and are raring to go. You’re thinking of how to start and what to start with. However, before you embark on the journey of developing your website, there’s a tiny little thing you need to do – prevent Google and other search engines from crawling your site.

I know what you’re thinking. As a webmaster, one of the most important, and perhaps the most obvious thing you would want is to bring traffic to your site. And getting Google to index your site as fast as possible would surely help with that, right? Yes, it will, but you need to wait just a little longer for it. Trust me when I say that you don’t want web crawlers and robots all over your site just yet.

Blocking GoogleBot

More often than not, you would be directly working on your live site and it is only natural for things to get messy at this stage. It is for this reason that it is advisable to temporarily block search engines from crawling and indexing your site until you’re past the initial development phase.

You might also not want Google or other search engines to get their hands on your site’s content for a variety of other reasons. So the question now is, how do you stop Google from indexing your WordPress website?

Blocking Google and Other Search Engines

Using a Robots.txt File

The most basic thing to do would be to manually create and upload a simple robots.txt file to your website’s root directory, instructing all search engines to stay away from your site and not index any part of it. The text file will carry the following syntax:

User-agent: *
Disallow: /

You can also use an inbuilt feature on your WordPress dashboard to block search engines from indexing your site. For this, you need to

1. Go to ‘Settings’, select ‘Reading’.

Block indexing using WP tool Step01

2. Check the box next to ‘Search Engine Visibility’ that says ‘Discourage search engines from indexing this site’. Click on ‘Save Changes’.

Block indexing using WP tool Step02

This automatically adds the following syntax to your site’s robots.txt file:

User-agent: *
Disallow: /

It also adds the following line to your website’s header:

<meta name='robots' content='noindex,follow' />

Although this method protects you from most of the search engine crawlers and robots out there, it isn’t a hundred percent safe.

Password Protecting your Website using cPanel

Web crawlers cannot access password-protected files. Hence, if your web host provides you with cPanel access to manage your hosting account, you can password protect your website files from your cPanel dashboard. For this, you need to

1. Log in to your cPanel account and click on ‘Password Protect Directories’;

cPanel password protect directories

2. Select the document root in the pop-up window and click ‘Go’;

cPanel directory selection

3. Select the folder where your WordPress is installed;

4. Check the box next to ‘Password protect this directory’, type in a name for the protected directory, and click on ‘Save’;

5. Once you receive a success message, go back to create user;

6. Add a username and password, and click on ‘Add/modify authorized user’.

cPanel security settings

And you’re done! Your WordPress site is now password protected, and therefore, can’t be crawled upon by search engines.

Password Protecting your Website using a Plugin

Another way to password protect your site is by using any one of the various plugins available on WordPress itself.

password protect pugins

All you need to do is install a plugin (it is advisable to select one that has been updated recently) and activate it. Once it’s activated, go to ‘Settings’. Enable the plugin and set your password. Click on ‘Save Changes’, and you’re done! No search engine crawler or robot can access your website, let alone index it.

Whatever your reason may be, if you want to keep search engines from crawling on your website, you can choose any of the above mentioned methods to keep your website data safe, depending on your requirements and the resources at hand.


Wordpress themes are what distinguishes one wordpress site from 55 million others and gives it an individual personality. However, for a beginner starting off using wordpress finding a good theme which not only expresses the website’s brand & intent but also is bug free and SEO-optimized is a challenge.

Themes come in various forms – free or premium, there are also theme frameworks such as Genesis, Hybrid and so on which provide basic functionality and hooks (optimized code) and can be extended/customized using “child” themes.

The video below is an excellent presentation by Lance Willett from Automattic and talks about the various facets of the wordpress landscape.

Some of the concepts covered in this video are:

– Frameworks – Starter frameworks, Options Framework and Child Themes

– Commercial Themes and Marketplace

Couple of interesting ways to check for good themes is by verifying if the theme developer has put in a 404 error (and if he/she has put some creative thoughts into it) and by looking at how they have designed the “Widgets” area.

For more such nifty tips, watch this video:

How To Create A Featured Post Section In WP (And Get Pagination To Work)
If you’ve been working with WordPress for some time I’m sure there are a couple things you’ve had a hard time figuring out. One of the things I get asked a lot is how to get pagination working when you have a ‘featured post‘ section on the homepage.

Read more:

Beginner’s Guide to Preventing Blog Content Scraping in WordPress
Blog content scraping is an act usually performed with scripts that extract content from numerous sources and pulls it into one site. It is so easy now that anyone can install a WordPress site, put a free or commercial theme, and install a few plugins that will go and scrape content from selected blogs, so it can be published on their site.

Read more:

Customize the WordPress admin area
Tailor the Administration Screens in WordPress to match your client’s branding with Thomas Hardy’s guide to customizing the popular CMS. While WordPress’ admin area works well, if you’re using it on a client’s website, you may want to customize it to give a more personalised feel by styling it using either yours or your client’s branding. In this tutorial, we will explore how to do just that.

Read more: